PayPal Security Loophole
Criminals see PayPal related messages as an easy route for fraud. Many such requests are quick to spot as they do not relate to any known purchase. Another tell-tale sign is that the sender’s details and any web links within the message do not follow the expected PayPal URL format although scammers often go a long way towards imitating this.
One way that fraudsters avoid being revealed through the message header code or URL text is to work from within genuine PayPal account. This could be one that they own or a compromised account that they have gained access to. The receiver of the message will be reassured that any email header and PayPal links are all genuine (because they are) and following it through will lead to details of an authentic transaction request on PayPal. The trick is to put the key to their scam within the ‘note’ section of a genuine invoice or request for funds. This section is designed for messages about the goods exchanged but is not strongly regulated by PayPal. A genuine use might be for the address to send goods but in this scam it will include details on how to complain if the transaction seems to be in error. These contact details will not lead to PayPal but some portal controlled by the fraudster.
The hook revolves around sending a PayPal invoice or request for funds that is clearly in error and the receiver reporting the incident to PayPal. The contact web link or phone number listed within the transaction note is the entry into the fraudster’s system. The mark will report the PayPal transaction to avoid any automated transfer of funds but instead will be tricked into disclosing personal details or downloading malware. In this example from KrebsonSecurity a spoof call centre attempted to have the mark download a remote administration tool.
PayPal recognise that scammers attempt to manipulate their systems and offer advice to users who see suspicious activity. In cases where a request appears to be from PayPal the receiver should search for contact details for PayPal on-line and not rely on any embedded within the original message. The original message should be forwarded to phishing@paypal.com who will investigate the source account.